subject:"\[Bug 1711203\] Re\: Deployments fail when Secure Boot enabled"

On Fri, Feb 23, 2018 at 01:13:42AM -, Andres Rodriguez wrote:
> > bladernr@critical-maas:/var/lib/maas/boot-resources/
> > current/bootloader/uefi/amd64$
> > ll
> > total 2328
> > drwxr-xr-x 2 maas maas4096 Feb 22 17:34 ./
> > drwxr-xr-x 4 maas maas4096 Feb 22 17:34 ../
> > -rw-r--r-- 2 maas maas 1196736 Feb  5 07:29 bootx64.efi
> > -rw-r--r-- 2 maas maas 1173368 Feb  5 07:29 grubx64.efi

> > That all comes from maas.io.

> > I presume its one of these?

> > http://images.maas.io/ephemeral-v3/daily/streams/v1/
> > com.ubuntu.maas:daily:1
> > :bootloader-download.json

> Whichever is the latest version in -updates at the time the streams were
> created.

> But yes, the latest version on the bootloader stream.

This matches the filesize of the grubnetx64.efi.signed from
grub2 2.02~beta2-36ubuntu3.16 - so it looks like this is up-to-date.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1711203] Re: Deployments fail when Secure Boot enabled

On Thu, Feb 22, 2018 at 7:55 PM, Jeff Lane 
wrote:

> On Thu, Feb 22, 2018 at 6:28 PM, Steve Langasek
>  wrote:
> > On Thu, Feb 22, 2018 at 11:06:51PM -, Jeff Lane wrote:
> >> > Is /efi/ubuntu/grubx64.efi on your EFI System Partition definitely the
> >> > Canonical-signed image from grub-efi-amd64-signed?
> >
> >> I presume so? dpkg says it is:They look the same to me:
> >
> >> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -S grubx64.efi
> >> grub-efi-amd64-signed: /usr/lib/grub/x86_64-efi-
> signed/grubx64.efi.signed
> >
> > That doesn't establish that /usr/lib/grub/x86_64-efi-
> signed/grubx64.efi.signed
> > and /boot/efi/EFI/ubuntu/grubx64.efi match.  Can you please verify that
> they
> > do?
>
> Doh!... indeed.
> ubuntu@xwing:~$ md5sum /boot/efi/EFI/ubuntu/grubx64.efi
> /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
> 474a3900382e54c2129626683f12f3b5  /boot/efi/EFI/ubuntu/grubx64.efi
> 474a3900382e54c2129626683f12f3b5
> /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
> ubuntu@xwing:~$ diff -s /boot/efi/EFI/ubuntu/grubx64.efi
> /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
> Files /boot/efi/EFI/ubuntu/grubx64.efi and
> /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed are identical
>
> >> > Which version of Ubuntu's grub are you booting via pxe?
> >
> >> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -l |grep grub|awk '{print
> $2": "$3}'
> >> grub-common: 2.02~beta2-36ubuntu3.16
> >> grub-efi-amd64: 2.02~beta2-36ubuntu3.16
> >> grub-efi-amd64-bin: 2.02~beta2-36ubuntu3.16
> >> grub-efi-amd64-signed: 1.66.16+2.02~beta2-36ubuntu3.16
> >> grub-pc: 2.02~beta2-36ubuntu3.16
> >> grub-pc-bin: 2.02~beta2-36ubuntu3.16
> >> grub2-common: 2.02~beta2-36ubuntu3.16
> >
> >> That is what is installed on the node.
> >
> > Sorry, I was asking about the other end of this: what version of
> > grubnetx64.efi is being served by maas?
>
> I have no idea.  Andres?
>
> As far as I can tell, it's serving up a copy of grubx64.efi out of
> /var/lib/maas/boot-resources/current
>
> which has files dated Feb 5.


> bladernr@critical-maas:/var/lib/maas/boot-resources/
> current/bootloader/uefi/amd64$
> ll
> total 2328
> drwxr-xr-x 2 maas maas4096 Feb 22 17:34 ./
> drwxr-xr-x 4 maas maas4096 Feb 22 17:34 ../
> -rw-r--r-- 2 maas maas 1196736 Feb  5 07:29 bootx64.efi
> -rw-r--r-- 2 maas maas 1173368 Feb  5 07:29 grubx64.efi
>
> That all comes from maas.io.
>
> I presume its one of these?
>
> http://images.maas.io/ephemeral-v3/daily/streams/v1/
> com.ubuntu.maas:daily:1
> :bootloader-download.json


Whichever is the latest version in -updates at the time the streams were
created.

But yes, the latest version on the bootloader stream.

>
>
>
> >
> > (But it is also good to confirm what version of grub is installed on the
> > node's disk.)
> >
> >> So I re-enabled SecureBoot and removed all NICs from the boot order.  I
> >> added in the HDD (since this is an EFI boot, the HDD is an entry called
> >> "Ubuntu" under "OTHER" in the boot order)
> >
> >> This fails to boot, I get an error from the system:
> >
> >> Error 1962: No operating system found. Boot sequence will automatically
> >> repeat.
> >
> >> Because I have no NICs listed in the boot order, this just churns as it
> >> keeps retrying the HDD entry.
> >
> >> So next, I went back and disabled SecureBoot once more.  It immediately
> >> booted straight from the HDD.
> >
> >> I also just tried a USB install with Secure Boot enabled.  I was able to
> >> install bionic from USB, but it too fails to boot with the same error.
> >
> >> To be fair at this point, given that this does work elsewhere, I'm
> >> suspicious that this is possibly an issue with my server.
> >
> > Agreed.  Something is wrong with the boot configuration of this node,
> which
> > is independent of the question of whether we have a viable workaround for
> > the netboot chainloading bug.
>
> I'm going to see if I can update the firmware on this node and maybe
> that will make a difference.  Otherwise, we'll need to try that C240
> in the lab.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1711203
>
> Title:
>   Deployments fail when Secure Boot enabled
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=curtin; status=Invalid; importance=Undecided;
> assignee=None;
> Launchpad-Bug: product=dellserver; status=New; importance=Undecided;
> assignee=None;
> Launchpad-Bug: product=maas; milestone=2.3.0; status=In Progress;
> importance=High; assignee=andres...@ubuntu-pe.org;
> Launchpad-Bug: product=maas; productseries=2.3; milestone=2.3.1; status=In
> Progress; importance=High; assignee=andres...@ubuntu-pe.org;
> Launchpad-Bug: product=maas-images; status=Fix Released;
> importance=Critical; assignee=lee.tra...@canonical.com;
>

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

FWIW, I did a bit of extra testing. I killed maas' rackd (which provides
PXE). Rebooted the machine and I saw:

1. It attempted to PXE boot multiple times (like a lot)
2. It eventually gave up and booted from disk

So it successfully booted into the deployed OS.

I noticed that the curtin installation reported the boot order, and
seems that (1) above was caused because of the following:

BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0006,,0004,0003,0008,0007,0005,0009,000A
Boot* ubuntu
Boot0003* UEFI: Intel(R) I350 Gigabit Network Connection
Boot0004* UEFI: IP4 Intel(R) I350 Gigabit Network Connection
Boot0005* UEFI: Intel(R) I350 Gigabit Network Connection
Boot0006* UEFI: IP4 Intel(R) I350 Gigabit Network Connection
Boot0007* UEFI: Intel(R) 82599 10 Gigabit Dual Port Network Connection
Boot0008* UEFI: IP4 Intel(R) 82599 10 Gigabit Dual Port Network Connection
Boot0009* UEFI: Intel(R) 82599 10 Gigabit Dual Port Network Connection
Boot000A* UEFI: IP4 Intel(R) 82599 10 Gigabit Dual Port Network Connection

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1711203] Re: Deployments fail when Secure Boot enabled

On Thu, Feb 22, 2018 at 6:28 PM, Steve Langasek
 wrote:
> On Thu, Feb 22, 2018 at 11:06:51PM -, Jeff Lane wrote:
>> > Is /efi/ubuntu/grubx64.efi on your EFI System Partition definitely the
>> > Canonical-signed image from grub-efi-amd64-signed?
>
>> I presume so? dpkg says it is:They look the same to me:
>
>> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -S grubx64.efi
>> grub-efi-amd64-signed: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
>
> That doesn't establish that /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
> and /boot/efi/EFI/ubuntu/grubx64.efi match.  Can you please verify that they
> do?

Doh!... indeed.
ubuntu@xwing:~$ md5sum /boot/efi/EFI/ubuntu/grubx64.efi
/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
474a3900382e54c2129626683f12f3b5  /boot/efi/EFI/ubuntu/grubx64.efi
474a3900382e54c2129626683f12f3b5
/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
ubuntu@xwing:~$ diff -s /boot/efi/EFI/ubuntu/grubx64.efi
/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
Files /boot/efi/EFI/ubuntu/grubx64.efi and
/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed are identical

>> > Which version of Ubuntu's grub are you booting via pxe?
>
>> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -l |grep grub|awk '{print $2": 
>> "$3}'
>> grub-common: 2.02~beta2-36ubuntu3.16
>> grub-efi-amd64: 2.02~beta2-36ubuntu3.16
>> grub-efi-amd64-bin: 2.02~beta2-36ubuntu3.16
>> grub-efi-amd64-signed: 1.66.16+2.02~beta2-36ubuntu3.16
>> grub-pc: 2.02~beta2-36ubuntu3.16
>> grub-pc-bin: 2.02~beta2-36ubuntu3.16
>> grub2-common: 2.02~beta2-36ubuntu3.16
>
>> That is what is installed on the node.
>
> Sorry, I was asking about the other end of this: what version of
> grubnetx64.efi is being served by maas?

I have no idea.  Andres?

As far as I can tell, it's serving up a copy of grubx64.efi out of
/var/lib/maas/boot-resources/current

which has files dated Feb 5.

bladernr@critical-maas:/var/lib/maas/boot-resources/current/bootloader/uefi/amd64$
ll
total 2328
drwxr-xr-x 2 maas maas4096 Feb 22 17:34 ./
drwxr-xr-x 4 maas maas4096 Feb 22 17:34 ../
-rw-r--r-- 2 maas maas 1196736 Feb  5 07:29 bootx64.efi
-rw-r--r-- 2 maas maas 1173368 Feb  5 07:29 grubx64.efi

That all comes from maas.io.

I presume its one of these?

http://images.maas.io/ephemeral-v3/daily/streams/v1/com.ubuntu.maas:daily:1
:bootloader-download.json


>
> (But it is also good to confirm what version of grub is installed on the
> node's disk.)
>
>> So I re-enabled SecureBoot and removed all NICs from the boot order.  I
>> added in the HDD (since this is an EFI boot, the HDD is an entry called
>> "Ubuntu" under "OTHER" in the boot order)
>
>> This fails to boot, I get an error from the system:
>
>> Error 1962: No operating system found. Boot sequence will automatically
>> repeat.
>
>> Because I have no NICs listed in the boot order, this just churns as it
>> keeps retrying the HDD entry.
>
>> So next, I went back and disabled SecureBoot once more.  It immediately
>> booted straight from the HDD.
>
>> I also just tried a USB install with Secure Boot enabled.  I was able to
>> install bionic from USB, but it too fails to boot with the same error.
>
>> To be fair at this point, given that this does work elsewhere, I'm
>> suspicious that this is possibly an issue with my server.
>
> Agreed.  Something is wrong with the boot configuration of this node, which
> is independent of the question of whether we have a viable workaround for
> the netboot chainloading bug.

I'm going to see if I can update the firmware on this node and maybe
that will make a difference.  Otherwise, we'll need to try that C240
in the lab.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1711203] Re: Deployments fail when Secure Boot enabled

This brings a good point. What I didn’t test, which will do tomorrow, is
what happens if I kill Maas and let the same system boot from disk. I
wonder if it will boot.

On Thu, Feb 22, 2018 at 6:20 PM Jeff Lane 
wrote:

> > Is /efi/ubuntu/grubx64.efi on your EFI System Partition definitely the
> > Canonical-signed image from grub-efi-amd64-signed?
>
> I presume so? dpkg says it is:
>
> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -S grubx64.efi
> grub-efi-amd64-signed: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
>
> That's the only thing that provides the file (that I can tell).
>
> > Which version of Ubuntu's grub are you booting via pxe?
>
> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -l |grep grub|awk '{print $2":
>  "$3}'
> grub-common: 2.02~beta2-36ubuntu3.16
> grub-efi-amd64: 2.02~beta2-36ubuntu3.16
> grub-efi-amd64-bin: 2.02~beta2-36ubuntu3.16
> grub-efi-amd64-signed: 1.66.16+2.02~beta2-36ubuntu3.16
> grub-pc: 2.02~beta2-36ubuntu3.16
> grub-pc-bin: 2.02~beta2-36ubuntu3.16
> grub2-common: 2.02~beta2-36ubuntu3.16
>
> That is what is installed on the node.
>
> > If you re-enable SecureBoot and configure this system to boot directly
> from
> > local disk instead of booting pxe first and chainloading, does it boot
> > successfully?
>
> So I re-enabled SecureBoot and removed all NICs from the boot order.  I
> added in the HDD (since this is an EFI boot, the HDD is an entry called
> "Ubuntu" under "OTHER" in the boot order)
>
> This fails to boot, I get an error from the system:
>
> Error 1962: No operating system found. Boot sequence will automatically
> repeat.
>
> Because I have no NICs listed in the boot order, this just churns as it
> keeps retrying the HDD entry.
>
> So next, I went back and disabled SecureBoot once more.  It immediately
> booted straight from the HDD.
>
> I also just tried a USB install with Secure Boot enabled.  I was able to
> install bionic from USB, but it too fails to boot with the same error.
>
> To be fair at this point, given that this does work elsewhere, I'm
> suspicious that this is possibly an issue with my server.
>
> That said, I'd like to see this verified on that Cisco C240 system as an
> extra data point.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1711203
>
> Title:
>   Deployments fail when Secure Boot enabled
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=curtin; status=Invalid; importance=Undecided;
> assignee=None;
> Launchpad-Bug: product=dellserver; status=New; importance=Undecided;
> assignee=None;
> Launchpad-Bug: product=maas; milestone=2.3.0; status=In Progress;
> importance=High; assignee=andres...@ubuntu-pe.org;
> Launchpad-Bug: product=maas; productseries=2.3; milestone=2.3.1; status=In
> Progress; importance=High; assignee=andres...@ubuntu-pe.org;
> Launchpad-Bug: product=maas-images; status=Fix Released;
> importance=Critical; assignee=lee.tra...@canonical.com;
> Launchpad-Bug: distribution=ubuntu; sourcepackage=shim; component=main;
> status=In Progress; importance=High; assignee=mathieu...@gmail.com;
> Launchpad-Bug-Tags: blocks-hwcert-server id-5a28802797729aedf99dcd37
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: andreserl bladernr cyphermox jwezel ltrager
> narindergupta raharper rodsmith vorlon
> Launchpad-Bug-Reporter: Rod Smith (rodsmith)
> Launchpad-Bug-Modifier: Jeff Lane (bladernr)
> Launchpad-Message-Rationale: Assignee
> Launchpad-Message-For: andreserl
>
-- 
Andres Rodriguez (RoAkSoAx)
Ubuntu Server Developer
MSc. Telecom & Networking
Systems Engineer

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1711203] Re: Deployments fail when Secure Boot enabled

On Thu, Feb 22, 2018 at 11:06:51PM -, Jeff Lane wrote:
> > Is /efi/ubuntu/grubx64.efi on your EFI System Partition definitely the
> > Canonical-signed image from grub-efi-amd64-signed?

> I presume so? dpkg says it is:

> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -S grubx64.efi
> grub-efi-amd64-signed: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed

That doesn't establish that /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
and /boot/efi/EFI/ubuntu/grubx64.efi match.  Can you please verify that they
do?

> > Which version of Ubuntu's grub are you booting via pxe?

> ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -l |grep grub|awk '{print $2": 
> "$3}'
> grub-common: 2.02~beta2-36ubuntu3.16
> grub-efi-amd64: 2.02~beta2-36ubuntu3.16
> grub-efi-amd64-bin: 2.02~beta2-36ubuntu3.16
> grub-efi-amd64-signed: 1.66.16+2.02~beta2-36ubuntu3.16
> grub-pc: 2.02~beta2-36ubuntu3.16
> grub-pc-bin: 2.02~beta2-36ubuntu3.16
> grub2-common: 2.02~beta2-36ubuntu3.16

> That is what is installed on the node.

Sorry, I was asking about the other end of this: what version of
grubnetx64.efi is being served by maas?

(But it is also good to confirm what version of grub is installed on the
node's disk.)

> So I re-enabled SecureBoot and removed all NICs from the boot order.  I
> added in the HDD (since this is an EFI boot, the HDD is an entry called
> "Ubuntu" under "OTHER" in the boot order)

> This fails to boot, I get an error from the system:

> Error 1962: No operating system found. Boot sequence will automatically
> repeat.

> Because I have no NICs listed in the boot order, this just churns as it
> keeps retrying the HDD entry.

> So next, I went back and disabled SecureBoot once more.  It immediately
> booted straight from the HDD.

> I also just tried a USB install with Secure Boot enabled.  I was able to
> install bionic from USB, but it too fails to boot with the same error.

> To be fair at this point, given that this does work elsewhere, I'm
> suspicious that this is possibly an issue with my server.

Agreed.  Something is wrong with the boot configuration of this node, which
is independent of the question of whether we have a viable workaround for
the netboot chainloading bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

> Is /efi/ubuntu/grubx64.efi on your EFI System Partition definitely the
> Canonical-signed image from grub-efi-amd64-signed?

I presume so? dpkg says it is:

ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -S grubx64.efi
grub-efi-amd64-signed: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed

That's the only thing that provides the file (that I can tell).

> Which version of Ubuntu's grub are you booting via pxe?

ubuntu@xwing:/boot/efi/EFI/ubuntu$ dpkg -l |grep grub|awk '{print $2": "$3}'
grub-common: 2.02~beta2-36ubuntu3.16
grub-efi-amd64: 2.02~beta2-36ubuntu3.16
grub-efi-amd64-bin: 2.02~beta2-36ubuntu3.16
grub-efi-amd64-signed: 1.66.16+2.02~beta2-36ubuntu3.16
grub-pc: 2.02~beta2-36ubuntu3.16
grub-pc-bin: 2.02~beta2-36ubuntu3.16
grub2-common: 2.02~beta2-36ubuntu3.16

That is what is installed on the node.

> If you re-enable SecureBoot and configure this system to boot directly from
> local disk instead of booting pxe first and chainloading, does it boot
> successfully?

So I re-enabled SecureBoot and removed all NICs from the boot order.  I
added in the HDD (since this is an EFI boot, the HDD is an entry called
"Ubuntu" under "OTHER" in the boot order)

This fails to boot, I get an error from the system:

Error 1962: No operating system found. Boot sequence will automatically
repeat.

Because I have no NICs listed in the boot order, this just churns as it
keeps retrying the HDD entry.

So next, I went back and disabled SecureBoot once more.  It immediately
booted straight from the HDD.

I also just tried a USB install with Secure Boot enabled.  I was able to
install bionic from USB, but it too fails to boot with the same error.

To be fair at this point, given that this does work elsewhere, I'm
suspicious that this is possibly an issue with my server.

That said, I'd like to see this verified on that Cisco C240 system as an
extra data point.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

** Package changed: grub2 (Ubuntu) => shim (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1711203] Re: Deployments fail when Secure Boot enabled

On Thu, Feb 22, 2018 at 08:45:17PM -, Jeff Lane wrote:
> Can we please verify that with one of the original failing systems
> (Cisco UCS C-240 M4) as well?

> Because that supermicro system works, my Lenovo fails even with the
> workaround (comments #48 and #49).

Is /efi/ubuntu/grubx64.efi on your EFI System Partition definitely the
Canonical-signed image from grub-efi-amd64-signed?

Which version of Ubuntu's grub are you booting via pxe?

If you re-enable SecureBoot and configure this system to boot directly from
local disk instead of booting pxe first and chainloading, does it boot
successfully?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-22 Thread Rod Smith

The workaround in #36 is now working for me on my home network, too.
Perhaps when I tested it in December (comment #39) I had different
software versions; or maybe I didn't correctly reproduce the changes in
comment #36.

I did a diff on what you posted in #48, Jeff, and it exactly matches
what I'm using, and what Andres put on weavile, so I don't think your
result is caused by an error in your configuration file.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

** Changed in: maas
   Status: Triaged => In Progress

** Changed in: maas/2.3
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

Can we please verify that with one of the original failing systems
(Cisco UCS C-240 M4) as well?

Because that supermicro system works, my Lenovo fails even with the
workaround (comments #48 and #49).

Unless I somehow mangled the workaround (see comment #48) and should re-
try with slightly different changes in that efi template.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

Ok, so I've tested the workaround in a supermicro system provided by the
cert team, and this is my evaluation:

1. Without the workaround on #36, the machine fails to deploy (e.g.
Using the shim fails and the machine powersoff)

2. With the work around on #36, the machine deploys successfully.

I'm making this change in MAAS as a working work around.

** Changed in: maas
   Status: Invalid => Triaged

** Changed in: maas
   Importance: Critical => High

** Changed in: maas
 Assignee: (unassigned) => Andres Rodriguez (andreserl)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-22 Thread Launchpad Bug Tracker

** Merge proposal linked:
   https://code.launchpad.net/~andreserl/maas/+git/maas/+merge/338584

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

** Also affects: maas/2.3
   Importance: Undecided
   Status: New

** Changed in: maas/2.3
Milestone: None => 2.3.1

** Changed in: maas/2.3
   Importance: Undecided => High

** Changed in: maas/2.3
   Status: New => Triaged

** Changed in: maas/2.3
 Assignee: (unassigned) => Andres Rodriguez (andreserl)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

Now, at this point, I'm stuck unbooted on the initial post-deployment
reboot.  So I reset the node by hand (poked the reset button) and
disabled SecureBoot in the config and rebooted it again.

This time, the node booted, pxe booted, got the edict to boot local, and
successfully booted locally.

If I do not take this step to disable secure boot during this post-
deployment reboot cycle, the system fails to boot and eventually is
marked as "Failed Deployment" once MAAS times out waiting for an update.

By manually intervening here, MAAS gets the proper message from the node
and markes the deployment as successful (Sets node to Deployed state).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

MAAS version: 2.3.0 (6434-gd354690-0ubuntu1~16.04.1)
This is my observation on a Lenovo RS140 with workaround enabled from comment
#36:
Also, to be sure it's not something we've injected, I am using the default
curtin_userdata, NOT our customized cert one.

1: edit:
/usr/lib/python3/dist-packages/provisioningserver/templates/uefi/config.local.amd64.template
2: sudo service maas-regiond restart
3: sudo service maas-rackd restart
4: Enable Secure Boot on server
5: Re-Commission node in MAAS
5.1: re-commission successful
6: Deploy Bionic
6.1 Bionic fails. Ephemeral boots and deployment proceeds. On reboot, node PXEs
and gets the boot loader stuff from MAAS and proceeds to boot locally. This is
where it fails with this on screen:

Booting local disk...
error: no such device: /efi/ubuntu/grubx64.efi.
error: File not found.

Press any key to continue...

Failed to boot both default and fallback entries.

Press any key to continue.

I retried this with Xenial and got the same failure to boot on the
initial reboot.

This is what I have in the template per comments #36 and #38 above:
bladernr@critical-maas:/usr/lib/python3/dist-packages/provisioningserver/templates/uefi$
cat config.local.amd64.template
set default="0"
set timeout=0

menuentry 'Local' {
echo 'Booting local disk...'
{{if kernel_params.osystem == "windows"}}
search --set=root --file /efi/Microsoft/Boot/bootmgfw.efi
chainloader /efi/Microsoft/Boot/bootmgfw.efi
{{else}}
search --set=root --file /efi/ubuntu/grubx64.efi
chainloader /efi/ubuntu/grubx64.efi
{{endif}}
}

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

So I've enabled secure boot on my Intel NUC's and have *not* used to
workaround in #36, and the machines deployed just fine (that is, they
pxe boot off MAAS and they are told to load the shim). The same scenario
is when using workaround in #36.

That said, the interesting bit is I remember testing these machines with
secure boot enabled when having the non-signed kernel, and they didn't
deploy. With the signed kernel, they started deploying.

So, I would like to test and see the difference in other machine other
than a NUC.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-21 Thread Mathieu Trudel-Lapierre

I'm at a loss to explain that. This works quite well in my netboot
testing when I remove MAAS from the equation. You *are* meant to be able
to chainload grub from another grub; and the reason why grub can't
chainload shim is that you then get the wrong set of shim protocols to
properly validate the next binary. This will need more testing; I will
need to know what hardware this is and what exactly is the content of
the grub configs.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-21 Thread Rod Smith

Mathieu, the workaround of chainloading GRUB rather than shim that you
suggested in comment #36 does not work; see my comment #39.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-21 Thread Mathieu Trudel-Lapierre

I have provided a workaround in comment #36, has this not been applied?
Landing a fix for this is going to take time, as it depends on a full
roundtrip of getting shim prepared, tested, and signed by Microsoft.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-15 Thread Jeff Lane

and Xenial

** Attachment added: "grub-fail-xenial.log"
   
https://bugs.launchpad.net/maas/+bug/1711203/+attachment/5056017/+files/grub-fail-xenial.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-15 Thread Jeff Lane

Just as an update, this is still an issue with Grub in Bionic...

** Attachment added: "grub-fail-bionic.log"
   
https://bugs.launchpad.net/maas/+bug/1711203/+attachment/5056013/+files/grub-fail-bionic.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-15 Thread Francis Ginther

** Tags added: id-5a28802797729aedf99dcd37

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-02-15 Thread Jeff Lane

Hi Matthieu,

Any update on this?  I'm also getting reports on this same issue from
one of the hardware partners as well who is unable to deploy nodes and
perform cert testing while Secure Boot is enabled.

** Tags added: blocks-hwcert-server

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2018-01-25 Thread Jochen Wezel

I also face this issue with nodes running on Hyper-V 2016 and enabled
Secure Boot (Microsoft UEFI cert.).

My node (with deployed Ubuntu 17.10) shows following warning:
---
Bootloader has not verified loaded image.
System is compromised.  halting.
---
After a few seconds, the node powers off.

I'm currently using MAAS version: 2.3.0 (6434-gd354690-0ubuntu1~17.10.1)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-14 Thread Rod Smith

Andres,

I've checked that, and it does *NOT* fix the problem; the system fails
to boot after a deployment in exactly the same way it did before.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-13 Thread Andres Rodriguez

@Rod,

Any chance you can test the work around of comment #36. You will need to
manually modify a file under:

/usr/lib/python3/dist-
packages/provisioningserver/templates/uefi/config.local.amd64.template

And then restart maas-regiond & maas-rackd.

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-08 Thread Rod Smith

Lee, I tried http://162.213.35.187/proposed/streams/v1/index.json
earlier, in response to Andres' suggestion, and that stream did not
help. (See comments #24 and #25.) If you think that stream has changed
since I did my testing on November 27, I'm happy to try again; but if
not, it doesn't help.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-07 Thread Mathieu Trudel-Lapierre

That's not going to change anything -- grub is doing exactly what it
should: ask shim to validate the image it tries to chainload; and the
image *does* validate successfully. The chain of trust is technically
preserved, but shim doesn't manage to make sense of things, and refuses
to continue loading.

This is a "bug" in shim, in that it's not a use case that was
anticipated. Shim makes sense of the shim->fallback->shim->grub case
because in that case things do go through the steps of calling
load_image() and start_image() in firmware.

It also seems to me like a bug in grub because we ought to be loading
things in such a way that shim would be able to make sense of it --
currently, that's not quite the case because some relocations and other
image mangling needs to happen. I have an idea of a hack to fix this,
but I think the "right" fix would be in shim.

What happens is that given that load_image() isn't called directly, when
the second shim runs it doesn't uninstall the protocols and we end up
validating against the first loaded shim when we try to verify the
kernel's signature. This is effectively a variation on an issue that was
fixed in shim for the fallback EFI binary.

In the meantime, there's also a valid workaround: you should be able to
chainload *grub* rather than shim from the disk, and thus maintain the
chain of trust for Secure Boot:

menuentry 'Local' {
echo 'Booting local disk...'
search --set=root --file /efi/ubuntu/grubx64.efi
chainloader /efi/ubuntu/grubx64.efi
}

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-07 Thread Lee Trager

While reading through #1730493 and #1437024 I noticed both had various
UEFI bootloader issues fixed by switching to the Artful version of grub
and the shim. I've updated
http://162.213.35.187/proposed/streams/v1/index.json to use boot loaders
from Artful in case anyone wants to test.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-06 Thread Mathieu Trudel-Lapierre

Yes, it's absolutely possible to recreate the environment for testing
this without MAAS -- there's nothing all that special to it,
chainloading *any* image should work and maintain a Secure Boot-verified
chain provided all the links in the chain validate images.

This looks to be pretty clearly a bug in chainloader's validation of
images, it used to work, but only because it wasn't actually verifying
much of it in the first place.

** Changed in: grub2 (Ubuntu)
   Status: New => In Progress

** Changed in: grub2 (Ubuntu)
 Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-06 Thread Steve Langasek

>From Andres, the grub.cfg used for chainloading to local disk is:

set default="0"
set timeout=0

menuentry 'Local' {
echo 'Booting local disk...'
search --set=root --file /efi/ubuntu/shimx64.efi
chainloader /efi/ubuntu/shimx64.efi
}

It should be possible to recreate an environment outside of maas for
reproducing this (UEFI VM configured with SB on, netboot w/ shim+grub,
chainload to disk via the above .cfg).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-05 Thread Andres Rodriguez

As per Rod's comments, I'm re-opening the grub task.

** Changed in: maas-images
   Status: Fix Committed => Fix Released

** Changed in: grub2 (Ubuntu)
   Status: Won't Fix => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-05 Thread Ryan Harper

Reviewing @slangasek's notes

> It's worth checking whether this problem
> mysteriously resolves once linux-signed is being pulled in; if it does,
> then it's possible we have a bug in grub (enforcing signature when it's
> not supposed to) or simply a bug in firmware.

It would appear that despite the change to linux-signed, there is still a
bug.
In that light, can we get next steps on debugging grub or firmware or
whateever
else is needed to push this along?


On Tue, Dec 5, 2017 at 7:58 AM, Rod Smith  wrote:

> I'd just like to emphasize that, although a change to always install the
> linux-signed kernel on AMD64 systems is necessary to fix this bug, it's
> not sufficient to fix the bug. As noted in my comment #25 (and
> elsewhere), another change is also required -- either a change to Shim
> or GRUB (I don't know which) or a change to how MAAS handles the boot
> process (to have the PXE-booted GRUB read the configuration file from
> the hard disk rather than chainload to GRUB on the hard disk; or perhaps
> a change to the way the handoff is done, if some tweak could bypass the
> bug).
>
> As before, I remain able and willing to test potential fixes.
>
> --
> You received this bug notification because you are subscribed to curtin.
> Matching subscriptions: curtin-bugs-all
> https://bugs.launchpad.net/bugs/1711203
>
> Title:
>   Deployments fail when Secure Boot enabled
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-05 Thread Rod Smith

I'd just like to emphasize that, although a change to always install the
linux-signed kernel on AMD64 systems is necessary to fix this bug, it's
not sufficient to fix the bug. As noted in my comment #25 (and
elsewhere), another change is also required -- either a change to Shim
or GRUB (I don't know which) or a change to how MAAS handles the boot
process (to have the PXE-booted GRUB read the configuration file from
the hard disk rather than chainload to GRUB on the hard disk; or perhaps
a change to the way the handoff is done, if some tweak could bypass the
bug).

As before, I remain able and willing to test potential fixes.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-01 Thread Lee Trager

I've updated lp:maas-images to produce new images using the linux-signed
kernel on AMD64. New images are produced when http://cloud-
images.ubuntu.com/daily/ adds new images so it may take a few days for
signed kernels to appear in the stream. Unsupported releases are no
longer updated so we'll have to manually regenerate them if we want
signed kernels.

The stream also contains all bootloaders including the shim. Once a new
shim-signed package is released to Xenial the stream will automatically
ingest the the update. Let me know if we want to test an updated
bootloader, I can produce a new proposed stream.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-12-01 Thread Lee Trager

** Changed in: maas-images
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-27 Thread Ryan Harper

Should we re-open the grub2 task then? or add a shim task?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-27 Thread Andres Rodriguez

So to clarify, MAAS pxe config searches & chainloads
/efi/ubuntu/shimx64.efi. It seems here the issue is with the shim. As
per Rod's comments:

"Changes to Shim/GRUB so that it works in this configuration. This used
to be the case, but the Shim/GRUB configuration has been tightening
security, which introduced this bug as a side effect."

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-27 Thread Rod Smith

Here's the install log, cut-and-pasted from the MAAS web UI, for the
latest installation. Note that after the node shut down, I restarted it
and disabled Secure Boot to get it to complete.

** Attachment added: "install-log.txt"
   
https://bugs.launchpad.net/maas/+bug/1711203/+attachment/5015350/+files/install-log.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-27 Thread Andres Rodriguez

** Changed in: maas
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-27 Thread Rod Smith

I've tried this and the problem persists. Note that MAAS *IS* installing
the signed kernel, which is necessary but insufficient for a fix; the
problem seems to be that Shim/GRUB is becoming confused by the handoff
from the PXE-boot version of GRUB to the GRUB stored on the hard disk.
If my analysis is correct, this will require either:

* Changes to Shim/GRUB so that it works in this configuration. This used to
  be the case, but the Shim/GRUB configuration has been tightening
  security, which introduced this bug as a side effect.
* A change in the way MAAS/curtin configures the PXE-booted GRUB so that it
  boots the system directly, without chainloading to GRUB on the hard disk.
  Note that this approach to a solution used to be used on ARM64 EFI
  systems, but that created a (now-fixed) bug #1582070. Thus, if this
  approach is used, care will have to be taken to not cause a regression on
  that bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-27 Thread Andres Rodriguez

@Rod,

Can you retry this URL as a different images source:

http://162.213.35.187/proposed/streams/v1/index.json

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-22 Thread Rod Smith

Andres, I've downloaded that file, but I have no idea where to put it. I
can't find a file called index.json on my MAAS server.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-22 Thread Andres Rodriguez

We have a test streams that uses the signed linux kernel instead of the
non-signed for x86. Can you please test it from this stream:

http://162.213.35.187/proposed/streams/v1/index.json

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-22 Thread Lee Trager

** Branch linked: lp:~ltrager/maas-images/maas_images_signed_kernel

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-21 Thread Andres Rodriguez

** Changed in: maas-images
 Assignee: (unassigned) => Lee Trager (ltrager)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

2017-11-16 Thread Rod Smith

To be clear, although installing the signed kernel package is necessary,
a failure to do this is NOT the source of this bug, which seems to
relate to how Shim and/or GRUB handle the MAAS boot path, which involves
Shim and GRUB being PXE-booted and then chainloaded to (Shim and?) GRUB
on the hard disk. I am available for testing of proposed fixes; I have
one system with Secure Boot available on my home network and sporadic
access to others in 1SS (from OIL; we can transfer them over to the
certification network from time to time).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

** Changed in: maas-images
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

** Branch linked: lp:~andreserl/maas-images/maas_images_signed_kernel

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled

** Also affects: maas-images
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1711203] Re: Deployments fail when Secure Boot enabled